Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Psychology of Security Automation

771 views

Published on

Presented at AutomaCon 2016 in Portland, OR on 9/28/2016.

Published in: Technology
  • Be the first to comment

The Psychology of Security Automation

  1. 1. The Psychology of Security Automation Jason Chan - Netflix Automacon 2016 @chanjbs
  2. 2. History: Developer - Security Relationship
  3. 3. Opportunities for Developers are Opportunities for Security Teams
  4. 4. Opportunities + History = Powerful Tools to Improve Security and Relationships!
  5. 5. Types of Security Automation
  6. 6. Types of Security Automation 1. Developer-Facing Tools
  7. 7. Types of Security Automation 1. Developer-Facing Tools 2. Developer-Security Collaboration
  8. 8. Types of Security Automation 1. Developer-Facing Tools 2. Developer-Security Collaboration 3. Internal Security Tools
  9. 9. Developer-Facing Tools
  10. 10. SSL/TLS!
  11. 11. Lemur
  12. 12. Lemur
  13. 13. Lemur • One-stop shop for SSL certificate management
  14. 14. Lemur • One-stop shop for SSL certificate management • Request, provision, deploy, monitor
  15. 15. Lemur • One-stop shop for SSL certificate management • Request, provision, deploy, monitor • Plugin architecture for certificate authorities, endpoints, etc.
  16. 16. Lemur and SSL Management Takeaways
  17. 17. Lemur and SSL Management Takeaways • APIs = Opportunities
  18. 18. Lemur and SSL Management Takeaways • APIs = Opportunities • Solves persistent, difficult, common problem
  19. 19. Lemur and SSL Management Takeaways • APIs = Opportunities • Solves persistent, difficult, common problem • Security++
  20. 20. Lemur and SSL Management Takeaways • APIs = Opportunities • Solves persistent, difficult, common problem • Security++ • Reliability++
  21. 21. Dev-Sec Collaboration
  22. 22. Old Ways of “Collaborating”
  23. 23. Old Ways of “Collaborating” • Skirmishes
  24. 24. Old Ways of “Collaborating” • Skirmishes • Meetings
  25. 25. Old Ways of “Collaborating” • Skirmishes • Meetings • Brouhahas
  26. 26. Old Ways of “Collaborating” • Skirmishes • Meetings • Brouhahas • Change review boards
  27. 27. Old Ways of “Collaborating” • Skirmishes • Meetings • Brouhahas • Change review boards • Fisticuffs
  28. 28. Old Ways of “Collaborating” • Skirmishes • Meetings • Brouhahas • Change review boards • Fisticuffs • Tickets
  29. 29. Case Study: Permissions Management in AWS
  30. 30. Permissions Management in AWS
  31. 31. Permissions Management in AWS • Innovation is enabled by composition of multiple services, but . . .
  32. 32. Permissions Management in AWS • Innovation is enabled by composition of multiple services, but . . . • Complex and sophisticated policy language with many conditions
  33. 33. Permissions Management in AWS • Innovation is enabled by composition of multiple services, but . . . • Complex and sophisticated policy language with many conditions • 2500+ individual API calls
  34. 34. Permissions Management in AWS • Innovation is enabled by composition of multiple services, but . . . • Complex and sophisticated policy language with many conditions • 2500+ individual API calls • New services/features released weekly
  35. 35. Rollie Pollie Permissions Management via ChatOps
  36. 36. Rollie Pollie Benefits
  37. 37. Rollie Pollie Benefits • Transparent decisions
  38. 38. Rollie Pollie Benefits • Transparent decisions • Eng-native workflows
  39. 39. Rollie Pollie Benefits • Transparent decisions • Eng-native workflows • Automated, secure, consistent
  40. 40. Internal Tooling
  41. 41. Application Security Automation with Dirty Laundry
  42. 42. Dirty Laundry’s Approach
  43. 43. Dirty Laundry’s Approach • Unix-like philosophy - execute task, return results, process, iterate
  44. 44. Dirty Laundry’s Approach • Unix-like philosophy - execute task, return results, process, iterate • Example: find all new ELBs, run a basic security scan against them, return results
  45. 45. Dirty Laundry’s Approach • Unix-like philosophy - execute task, return results, process, iterate • Example: find all new ELBs, run a basic security scan against them, return results • Example: for all Netflix employees with GitHub accounts, search their public repos for security issues, return results
  46. 46. Current Support
  47. 47. Current Support • Dynamic analysis - AppSpider, Arachni, Detectify
  48. 48. Current Support • Dynamic analysis - AppSpider, Arachni, Detectify • Static analysis - Bandit, Brakeman, FindSecBugs, Custom
  49. 49. Current Support • Dynamic analysis - AppSpider, Arachni, Detectify • Static analysis - Bandit, Brakeman, FindSecBugs, Custom • Others - curl, GitHub, OpenGrok
  50. 50. Dirty Laundry Benefits
  51. 51. Dirty Laundry Benefits • Embraces continuous deployment, self-service
  52. 52. Dirty Laundry Benefits • Embraces continuous deployment, self-service • Supports safe, high velocity development
  53. 53. Dirty Laundry Benefits • Embraces continuous deployment, self-service • Supports safe, high velocity development • Decouples push schedule from security team bandwidth
  54. 54. Takeaways
  55. 55. Takeaways • Security teams can leverage the high-velocity development ecosystem
  56. 56. Takeaways • Security teams can leverage the high-velocity development ecosystem • Shared history provides both lessons and input to development
  57. 57. Takeaways • Security teams can leverage the high-velocity development ecosystem • Shared history provides both lessons and input to development • Use engineering native workflows
  58. 58. Takeaways • Security teams can leverage the high-velocity development ecosystem • Shared history provides both lessons and input to development • Use engineering native workflows • Strive to make security more integrated and ubiquitous while also improving other system characteristics
  59. 59. Thanks! @chanjbs

×